Bump Terraform azuread provider version to 3.0.2 (#853)

<Actions> <action id="6d17e7acdb2f3311576150379e22805f2f9b4aa72ff00ec136aceee45cae4b98"> <h3>Bump Terraform `azuread` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>changes detected:
	"hashicorp/azuread" updated from "2.53.1" to "3.0.2" in file ".terraform.lock.hcl"</p> </details> <a href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/488/">Jenkins pipeline link</a> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> --------- Signed-off-by: Damien Duportal <damien.duportal@gmail.com> Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com> Co-authored-by: Damien Duportal <damien.duportal@gmail.com>
jenkins-infra · Oct 16, 2024 · d8967eb · d8967eb
1 parent 5072e32
commit d8967eb
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 50 deletions.
diff --git a/.shared-tools b/.shared-tools
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/cert.ci.jenkins.io.tf b/cert.ci.jenkins.io.tf
@@ -25,7 +25,7 @@ module "cert_ci_jenkins_io" {
   }
 
   controller_service_principal_ids = [
-    data.azuread_service_principal.terraform_production.id,
+    data.azuread_service_principal.terraform_production.object_id,
   ]
   controller_service_principal_end_date = "2024-11-06T00:00:00Z"
   controller_packer_rg_ids = [

diff --git a/ci.jenkins.io.tf b/ci.jenkins.io.tf
@@ -29,7 +29,7 @@ module "ci_jenkins_io_sponsorship" {
     privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
   }
   controller_service_principal_ids = [
-    data.azuread_service_principal.terraform_production.id,
+    data.azuread_service_principal.terraform_production.object_id,
   ]
   controller_service_principal_end_date = "2025-01-13T00:00:00Z"
   controller_packer_rg_ids = [

diff --git a/infra.ci.jenkins.io.tf b/infra.ci.jenkins.io.tf
@@ -19,7 +19,7 @@ resource "azurerm_storage_account" "infra_ci_jenkins_io_agents" {
 resource "azuread_application" "infra_ci_jenkins_io" {
   display_name = "infra.ci.jenkins.io"
   owners = [
-    data.azuread_service_principal.terraform_production.id,
+    data.azuread_service_principal.terraform_production.object_id,
   ]
   tags = [for key, value in local.default_tags : "${key}:${value}"]
   required_resource_access {
@@ -38,7 +38,7 @@ resource "azuread_service_principal" "infra_ci_jenkins_io" {
   client_id                    = azuread_application.infra_ci_jenkins_io.client_id
   app_role_assignment_required = false
   owners = [
-    data.azuread_service_principal.terraform_production.id,
+    data.azuread_service_principal.terraform_production.object_id,
   ]
 }
 resource "azuread_application_password" "infra_ci_jenkins_io" {
@@ -50,30 +50,30 @@ resource "azuread_application_password" "infra_ci_jenkins_io" {
 resource "azurerm_role_assignment" "infra_ci_jenkins_io_allow_azurerm" {
   scope                = azurerm_resource_group.infra_ci_jenkins_io_agents.id
   role_definition_name = "Contributor"
-  principal_id         = azuread_service_principal.infra_ci_jenkins_io.id
+  principal_id         = azuread_service_principal.infra_ci_jenkins_io.object_id
 }
 resource "azurerm_role_assignment" "infra_ci_jenkins_io_allow_packer" {
   scope                = azurerm_resource_group.packer_images["prod"].id
   role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.infra_ci_jenkins_io.id
+  principal_id         = azuread_service_principal.infra_ci_jenkins_io.object_id
 }
 resource "azurerm_role_assignment" "infra_ci_jenkins_io_privatek8s_subnet_role" {
   scope                = data.azurerm_subnet.privatek8s_tier.id
   role_definition_name = "Virtual Machine Contributor"
-  principal_id         = azuread_service_principal.infra_ci_jenkins_io.id
+  principal_id         = azuread_service_principal.infra_ci_jenkins_io.object_id
 }
 resource "azurerm_role_assignment" "infra_ci_jenkins_io_privatek8s_subnet_private_vnet_reader" {
   scope              = data.azurerm_virtual_network.private.id
   role_definition_id = azurerm_role_definition.private_vnet_reader.role_definition_resource_id
-  principal_id       = azuread_service_principal.infra_ci_jenkins_io.id
+  principal_id       = azuread_service_principal.infra_ci_jenkins_io.object_id
 }
 
 # Required to allow azcopy sync of contributors.jenkins.io File Share
 module "infraci_contributorsjenkinsio_fileshare_serviceprincipal_writer" {
   source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"
 
   service_fqdn                   = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
-  active_directory_owners        = [data.azuread_service_principal.terraform_production.id]
+  active_directory_owners        = [data.azuread_service_principal.terraform_production.object_id]
   active_directory_url           = "https://github.com/jenkins-infra/azure"
   service_principal_end_date     = local.end_dates.infra_ci_jenkins_io.infraci_contributorsjenkinsio_fileshare_serviceprincipal_writer.end_date
   file_share_resource_manager_id = azurerm_storage_share.contributors_jenkins_io.resource_manager_id
@@ -93,7 +93,7 @@ module "infraci_docsjenkinsio_fileshare_serviceprincipal_writer" {
   source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"
 
   service_fqdn                   = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
-  active_directory_owners        = [data.azuread_service_principal.terraform_production.id]
+  active_directory_owners        = [data.azuread_service_principal.terraform_production.object_id]
   active_directory_url           = "https://github.com/jenkins-infra/azure"
   service_principal_end_date     = local.end_dates.infra_ci_jenkins_io.infraci_docsjenkinsio_fileshare_serviceprincipal_writer.end_date
   file_share_resource_manager_id = azurerm_storage_share.docs_jenkins_io.resource_manager_id
@@ -113,7 +113,7 @@ module "infraci_statsjenkinsio_fileshare_serviceprincipal_writer" {
   source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"
 
   service_fqdn                   = "infra-ci-jenkins-io-fileshare_serviceprincipal_writer"
-  active_directory_owners        = [data.azuread_service_principal.terraform_production.id]
+  active_directory_owners        = [data.azuread_service_principal.terraform_production.object_id]
   active_directory_url           = "https://github.com/jenkins-infra/azure"
   service_principal_end_date     = local.end_dates.infra_ci_jenkins_io.infraci_statsjenkinsio_fileshare_serviceprincipal_writer.end_date
   file_share_resource_manager_id = azurerm_storage_share.stats_jenkins_io.resource_manager_id
@@ -158,7 +158,7 @@ resource "azurerm_role_assignment" "infra_controller_vnet_reader" {
   provider           = azurerm.jenkins-sponsorship
   scope              = data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.id
   role_definition_id = azurerm_role_definition.infra_ci_jenkins_io_controller_vnet_sponsorship_reader.role_definition_resource_id
-  principal_id       = azuread_service_principal.infra_ci_jenkins_io.id
+  principal_id       = azuread_service_principal.infra_ci_jenkins_io.object_id
 }
 module "infra_ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
   providers = {
@@ -173,7 +173,7 @@ module "infra_ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
   ephemeral_agents_subnet_name     = data.azurerm_subnet.infra_ci_jenkins_io_sponsorship_ephemeral_agents.name
   controller_rg_name               = azurerm_resource_group.infra_ci_jenkins_io_controller_jenkins_sponsorship.name
   controller_ips                   = data.azurerm_subnet.privatek8s_infra_ci_controller_tier.address_prefixes # Pod IPs: controller IP may change in the pods IP subnet
-  controller_service_principal_id  = azuread_service_principal.infra_ci_jenkins_io.id
+  controller_service_principal_id  = azuread_service_principal.infra_ci_jenkins_io.object_id
   default_tags                     = local.default_tags
   storage_account_name             = "infraciagentssub" # Max 24 chars
 
@@ -233,7 +233,7 @@ module "infraci_pluginsjenkinsio_fileshare_serviceprincipal_writer" {
   source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"
 
   service_fqdn                   = "infraci-pluginsjenkinsio-fileshare_serviceprincipal_writer"
-  active_directory_owners        = [data.azuread_service_principal.terraform_production.id]
+  active_directory_owners        = [data.azuread_service_principal.terraform_production.object_id]
   active_directory_url           = "https://github.com/jenkins-infra/azure"
   service_principal_end_date     = local.end_dates.infra_ci_jenkins_io.infraci_pluginsjenkinsio_fileshare_serviceprincipal_writer.end_date
   file_share_resource_manager_id = azurerm_storage_share.plugins_jenkins_io.resource_manager_id
@@ -366,7 +366,9 @@ resource "azurerm_resource_group" "updatecli_infra_ci_jenkins_io" {
 resource "azuread_application" "updatecli_infra_ci_jenkins_io" {
   display_name = "updatecli_infra.ci.jenkins.io"
   owners = [
-    data.azuread_service_principal.terraform_production.id,
+    # Commenting out to migrate to new AzureAD provider
+    # data.azuread_service_principal.terraform_production.id,
+    "b847a030-25e1-4791-ad04-9e8484d87bce",
   ]
   tags = [for key, value in local.default_tags : "${key}:${value}"]
   required_resource_access {
@@ -385,7 +387,9 @@ resource "azuread_service_principal" "updatecli_infra_ci_jenkins_io" {
   client_id                    = azuread_application.updatecli_infra_ci_jenkins_io.client_id
   app_role_assignment_required = false
   owners = [
-    data.azuread_service_principal.terraform_production.id,
+    # Commenting out to migrate to new AzureAD provider
+    # data.azuread_service_principal.terraform_production.id,
+    "b847a030-25e1-4791-ad04-9e8484d87bce",
   ]
 }
 resource "azuread_application_password" "updatecli_infra_ci_jenkins_io" {
@@ -406,5 +410,5 @@ resource "azurerm_role_definition" "vm_images_reader" {
 resource "azurerm_role_assignment" "updatecli_infra_ci_jenkins_io_allow_images_list" {
   scope              = azurerm_resource_group.updatecli_infra_ci_jenkins_io.id
   role_definition_id = azurerm_role_definition.vm_images_reader.role_definition_resource_id
-  principal_id       = azuread_service_principal.updatecli_infra_ci_jenkins_io.id
+  principal_id       = azuread_service_principal.updatecli_infra_ci_jenkins_io.object_id
 }
diff --git a/packer-resources.tf b/packer-resources.tf
@@ -3,7 +3,7 @@
 resource "azuread_application" "packer" {
   display_name = "packer"
   owners = [
-    data.azuread_service_principal.terraform_production.id, # terraform-production Service Principal, used by the CI system
+    data.azuread_service_principal.terraform_production.object_id, # terraform-production Service Principal, used by the CI system
   ]
   tags = [for key, value in local.default_tags : "${key}:${value}"]
   required_resource_access {
@@ -24,7 +24,7 @@ resource "azuread_service_principal" "packer" {
   client_id                    = azuread_application.packer.client_id
   app_role_assignment_required = false
   owners = [
-    data.azuread_service_principal.terraform_production.id, # terraform-production Service Principal, used by the CI system
+    data.azuread_service_principal.terraform_production.object_id, # terraform-production Service Principal, used by the CI system
   ]
 }
 
@@ -119,7 +119,7 @@ resource "azurerm_role_assignment" "packer_role_images_assignement" {
 
   scope                = each.value.id
   role_definition_name = "Contributor"
-  principal_id         = azuread_service_principal.packer.id
+  principal_id         = azuread_service_principal.packer.object_id
 }
 # Allow packer Service Principal to manage AzureRM resources inside the packer resource groups
 resource "azurerm_role_assignment" "packer_role_builds_assignement" {
@@ -128,11 +128,11 @@ resource "azurerm_role_assignment" "packer_role_builds_assignement" {
 
   scope                = each.value.id
   role_definition_name = "Contributor"
-  principal_id         = azuread_service_principal.packer.id
+  principal_id         = azuread_service_principal.packer.object_id
 }
 resource "azurerm_role_assignment" "packer_role_manage_subnet" {
   provider             = azurerm.jenkins-sponsorship
   scope                = data.azurerm_subnet.infra_ci_jenkins_io_sponsorship_packer_builds.id
   role_definition_name = "Network Contributor"
-  principal_id         = azuread_service_principal.packer.id
+  principal_id         = azuread_service_principal.packer.object_id
 }
diff --git a/publick8s.tf b/publick8s.tf
@@ -357,7 +357,7 @@ module "cronjob_geoip_data_fileshare_serviceprincipal_writer" {
   source = "./.shared-tools/terraform/modules/azure-jenkinsinfra-fileshare-serviceprincipal-writer"
 
   service_fqdn                   = "${azurerm_resource_group.publick8s.name}-fileshare_serviceprincipal_writer-redirects"
-  active_directory_owners        = [data.azuread_service_principal.terraform_production.id]
+  active_directory_owners        = [data.azuread_service_principal.terraform_production.object_id]
   active_directory_url           = "https://github.com/jenkins-infra/azure"
   service_principal_end_date     = "2024-12-23T00:00:00Z"
   file_share_resource_manager_id = azurerm_storage_share.geoip_data.resource_manager_id

diff --git a/test.ci.jenkins.io.tf b/test.ci.jenkins.io.tf
@@ -31,7 +31,7 @@ data "azurerm_subnet" "test_azurevm_agents_agents_sponsorship" {
 ####################################################################################
 resource "azuread_application" "test_azurevm_agents_sponsorship" {
   display_name = "test.jay.onboarding"
-  owners       = [data.azuread_service_principal.terraform_production.id]
+  owners       = [data.azuread_service_principal.terraform_production.object_id]
   tags         = [for key, value in local.default_tags : "${key}:${value}"]
   required_resource_access {
     resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
@@ -48,7 +48,7 @@ resource "azuread_application" "test_azurevm_agents_sponsorship" {
 resource "azuread_service_principal" "test_azurevm_agents_sponsorship" {
   client_id                    = azuread_application.test_azurevm_agents_sponsorship.client_id
   app_role_assignment_required = false
-  owners                       = [data.azuread_service_principal.terraform_production.id]
+  owners                       = [data.azuread_service_principal.terraform_production.object_id]
 }
 resource "azuread_application_password" "test_azurevm_agents_sponsorship" {
   application_id = azuread_application.test_azurevm_agents_sponsorship.id
@@ -58,7 +58,7 @@ resource "azuread_application_password" "test_azurevm_agents_sponsorship" {
 resource "azurerm_role_assignment" "controller_read_packer_prod_images" {
   scope                = azurerm_resource_group.packer_images["prod"].id
   role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.test_azurevm_agents_sponsorship.id
+  principal_id         = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
 }
 resource "azurerm_role_definition" "jayonboarding_vnet_writer" {
   name  = "write-test.jay.onboarding-VNET"
@@ -71,7 +71,7 @@ resource "azurerm_role_definition" "jayonboarding_vnet_writer" {
 resource "azurerm_role_assignment" "jayonboarding_vnet_writer" {
   scope              = data.azurerm_virtual_network.test_azurevm_agents_sponsorship.id
   role_definition_id = azurerm_role_definition.jayonboarding_vnet_writer.role_definition_resource_id
-  principal_id       = azuread_service_principal.test_azurevm_agents_sponsorship.id
+  principal_id       = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
 }
 
 module "test_azurevm_agents_sponsorship" {
@@ -90,7 +90,7 @@ module "test_azurevm_agents_sponsorship" {
     "135.237.163.64", # VM (manually managed) public IP
     "10.0.0.4",       # VM (manually managed) private IP
   ])
-  controller_service_principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.id
+  controller_service_principal_id = azuread_service_principal.test_azurevm_agents_sponsorship.object_id
   default_tags                    = local.default_tags
   storage_account_name            = "jayagentssub" # Max 24 chars